[messaging] keys.gnupg.net returns random pages

Andy Isaacson adi at hexapodia.org
Sun Oct 19 18:21:30 PDT 2014

On Sat, Oct 18, 2014 at 10:25:19PM -0700, Daniel Roesler wrote:
> Howdy all, as always, if this is off topic, please direct me to the
> appropriate mailing list.

Something more like cpunks or some gnupg list would probably be more on

> Today I randomly visited http://keys.gnupg.net/, which appears to be
> loading various compromised and broken pages[1][2], which was
> confirmed by Zaki and Rhodey[3].

keys.gnupg.net is a DNS round robin pointing to several hosts run by
different parties.  This works just fine if you depend on the PGP Web of
Trust for your authenticity and privacy, because mutually untrusting
hosts in different administrative domains can provide assertions and
ones that misbehave can be ignored or whatever.

This model works much less well when crossed with the TLS X.509
certification scheme, where a Trusted Third Party is expected to attest
that a specific Private Key entitles the posessor to complete control of
traffic associated with the given name.

As a result, https:// and hkps:// protocols are are more or less
fundamentally incompatible with volunteer-operated multi-organizational
load sharing schemes based on DNS round robin records.

> keys.gnupg.net is the default keyserver for which GPG on my Xubuntu
> 14.04 sends and receives keys, so I'd presume this is not expected
> behavior.

The catch is that most Internet users now assume that HTTP is the only
(or at least the preeminent) way to use the internet.  DNS round robin
application schemes harken back to an earlier, multiprotocol Internet.


More information about the Messaging mailing list